Switch CheckOpts to take ociremote.Options. (#738)

* Switch `CheckOpts` to take `ociremote.Option`s. This is as a precursor to starting to fold some other stuff together, e.g. the SigSuffix option. Signed-off-by: Matt Moore <[email protected]> * Rename RemoteOpts to ClientOpts Signed-off-by: Matt Moore <[email protected]>
sigstore · Sep 21, 2021 · f815e25 · f815e25
1 parent e7395a7
commit f815e25
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 17 deletions.
diff --git a/cmd/cosign/cli/options/flags.go b/cmd/cosign/cli/options/flags.go
@@ -24,6 +24,7 @@ import (
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
+	ociremote "github.com/sigstore/cosign/internal/oci/remote"
 )
 
 // OneOf ensures that only one of the supplied interfaces is set to a non-zero value.
@@ -46,6 +47,10 @@ type RegistryOpts struct {
 	AllowInsecure bool
 }
 
+func (co *RegistryOpts) ClientOpts(ctx context.Context) []ociremote.Option {
+	return []ociremote.Option{ociremote.WithRemoteOptions(co.GetRegistryClientOpts(ctx)...)}
+}
+
 func (co *RegistryOpts) GetRegistryClientOpts(ctx context.Context) []remote.Option {
 	opts := defaultRegistryClientOpts(ctx)
 	if co != nil && co.AllowInsecure {

diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -132,11 +132,9 @@ func (c *VerifyCommand) Exec(ctx context.Context, args []string) (err error) {
 		return &options.KeyParseError{}
 	}
 
-	remoteOpts := c.RegistryOpts.GetRegistryClientOpts(ctx)
-
 	co := &cosign.CheckOpts{
 		Annotations:        *c.Annotations,
-		RegistryClientOpts: remoteOpts,
+		RegistryClientOpts: c.RegistryOpts.ClientOpts(ctx),
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.SimpleClaimVerifier
@@ -168,7 +166,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, args []string) (err error) {
 	co.SigVerifier = pubKey
 
 	for _, img := range args {
-		ref, err := sign.GetAttachedImageRef(img, c.Attachment, remoteOpts...)
+		ref, err := sign.GetAttachedImageRef(img, c.Attachment, c.RegistryOpts.GetRegistryClientOpts(ctx)...)
 		if err != nil {
 			return errors.Wrapf(err, "resolving attachment type %s for image %s", c.Attachment, img)
 		}

diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
@@ -122,7 +122,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err
 	}
 
 	co := &cosign.CheckOpts{
-		RegistryClientOpts:   c.GetRegistryClientOpts(ctx),
+		RegistryClientOpts:   c.ClientOpts(ctx),
 		SigTagSuffixOverride: cosign.AttestationTagSuffix,
 	}
 	if c.CheckClaims {

diff --git a/copasetic/main.go b/copasetic/main.go
@@ -190,7 +190,7 @@ func main() {
 				PKOpts:             []signature.PublicKeyOption{ctxOpt},
 				ClaimVerifier:      cosign.SimpleClaimVerifier,
 				RootCerts:          fulcio.GetRoots(),
-				RegistryClientOpts: regOpts.GetRegistryClientOpts(bctx.Context),
+				RegistryClientOpts: regOpts.ClientOpts(bctx.Context),
 				RekorURL:           *rekorURL,
 			}
 			sps, _, err := cosign.Verify(bctx.Context, ref, co)

diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -30,7 +30,6 @@ import (
 	"github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
-	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/pkg/errors"
 
 	"github.com/sigstore/cosign/internal/oci"
@@ -47,7 +46,7 @@ type CheckOpts struct {
 	// SigTagSuffixOverride overrides the suffix of the derived signature image tag. Default: ".sig"
 	SigTagSuffixOverride string
 	// RegistryClientOpts are the options for interacting with the container registry.
-	RegistryClientOpts []remote.Option
+	RegistryClientOpts []ociremote.Option
 
 	// Annotations optionally specifies image signature annotations to verify.
 	Annotations map[string]interface{}
@@ -85,9 +84,8 @@ func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (ch
 		}
 	}
 
-	opts := []ociremote.Option{
-		ociremote.WithRemoteOptions(co.RegistryClientOpts...),
-	}
+	opts := co.RegistryClientOpts
+
 	// These are all the signatures attached to our image that we know how to parse.
 	if co.SigTagSuffixOverride != "" {
 		opts = append(opts, ociremote.WithSignatureSuffix(co.SigTagSuffixOverride))

diff --git a/pkg/sget/sget.go b/pkg/sget/sget.go
@@ -27,6 +27,7 @@ import (
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/cmd/cosign/cli/verify"
+	ociremote "github.com/sigstore/cosign/internal/oci/remote"
 	"github.com/sigstore/cosign/pkg/cosign"
 	sigs "github.com/sigstore/cosign/pkg/signature"
 )
@@ -57,12 +58,14 @@ func (sg *SecureGet) Do(ctx context.Context) error {
 		}
 	}
 
+	opts := []remote.Option{
+		remote.WithAuthFromKeychain(authn.DefaultKeychain),
+		remote.WithContext(ctx),
+	}
+
 	co := &cosign.CheckOpts{
-		ClaimVerifier: cosign.SimpleClaimVerifier,
-		RegistryClientOpts: []remote.Option{
-			remote.WithAuthFromKeychain(authn.DefaultKeychain),
-			remote.WithContext(ctx),
-		},
+		ClaimVerifier:      cosign.SimpleClaimVerifier,
+		RegistryClientOpts: []ociremote.Option{ociremote.WithRemoteOptions(opts...)},
 	}
 	if sg.KeyRef != "" {
 		pub, err := sigs.LoadPublicKey(ctx, sg.KeyRef)
@@ -83,7 +86,8 @@ func (sg *SecureGet) Do(ctx context.Context) error {
 		verify.PrintVerification(sg.ImageRef, sp, "text")
 	}
 
-	img, err := remote.Image(ref, co.RegistryClientOpts...)
+	// TODO(mattmoor): Depending on what this is, use the higher-level stuff.
+	img, err := remote.Image(ref, opts...)
 	if err != nil {
 		return err
 	}